From d602715793349a90625cbc8688178b2526b95b45 Mon Sep 17 00:00:00 2001
From: JeffryM <13516156@std.stei.itb.ac.id>
Date: Mon, 3 Feb 2020 12:34:36 +0700
Subject: [PATCH] Add escape HTML in review field

---
 controller/SubmitReviewController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controller/SubmitReviewController.php b/controller/SubmitReviewController.php
index d76a13c..2bd0a4a 100644
--- a/controller/SubmitReviewController.php
+++ b/controller/SubmitReviewController.php
@@ -25,7 +25,7 @@ class SubmitReviewController extends BaseController {
                         $review = new Entity\GenericEntity(array(
                             "book_id" => $this->getArg('book_id'),
                             "username" => $this->getUsername(),
-                            "message" => $this->getArg('message'),
+                            "message" => escapeHTML($this->getArg('message')),
                             "rating" => $this->getArg('rating'),
                         ));
                         if ($model_review->create($review)) {
-- 
GitLab